Configuring The Juniper Atp Appliance For Mac

Posted : admin On 20.03.2019
Configuring The Juniper Atp Appliance For Mac Average ratng: 7,3/10 9706 reviews

Hi All, I am using Juniper Network connect VPN client in Mac OS X to connect to SSL VPN server to my organisation network. Similar way I will use 'Cisco AnyConnect Secure Mobility' also to connect with different SSL VPN server.

Book Description: Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. As a system administrator or security professional, this comprehensive configuration guide will allow you to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access, for employees, partners, and customers from a single platform. Complete coverage of the Juniper Networks Secure Access SSL VPN line including the 700, 2000, 4000, 6000, and 6000 SP.

Learn to scale your appliances to meet the demands of remote workers and offices. Use the NEW coordinated threat control with Juniper Networks IDP to manage the security of your entire enterprise.

This example illustrates how to configure two IPSec VPN tunnels from a Palo Alto Networks appliance to two Zscaler Enforcement Nodes (ZENs): a primary tunnel from the PA-200 appliance to a ZEN in one data center, and a secondary tunnel from the PA-200 appliance to a ZEN in another data center. Zscaler IPSec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, you must configure more IPSec VPN tunnels. For example, if you organization forwards 400 Mbps of traffic, you must configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you must configure three primary VPN tunnels and three secondary VPN tunnels. In this example, the IP address of the primary ZEN is 95.172.74.5, and the IP address of the secondary ZEN is 199.168.151.112.

You can learn how to locate the ZEN IP addresses for your organization in the Prerequisites section below. Organizations typically forward all traffic destined for any port to the Zscaler service. Alternatively, you can limit the traffic that you forward to the service to HTTP and HTTPS traffic (traffic destined for port 80 and port 443).

Regardless, tunneling provides visibility into the internal IP addresses, which can be used for the Zscaler security policies and logging. Prerequisites Ensure you have the following information for setting up the tunnels:. Ensure that the locations of the correspond to the locations of the.

If you are unable to ping both ZEN IP addresses, please contact. Configuring the IPSec VPN Tunnel in the Zscaler Admin Portal To configure the IPSec VPN tunnels in the Zscaler Admin Portal:. Note the IP address or FQDN and the pre-shared key (PSK) of the added VPN credentials. You need this information when linking the VPN credentials to a location and creating the IKE gateways. Configuring the IPSec VPN Tunnels on PA-200 This section describes how to configure two IPSec VPN tunnels on a PA-200 firewall running version 4.1.16. Refer to Palo Alto Networks documentation for additional information about the web interface. The following image shows the lab setup.

The ethernet1/2 interface represents the internal corporate network. All traffic from the corporate network will egress through this interface. The ethernet1/4 interface is the external interface. Traffic destined for any external network goes out through this interface.

Ensure that the internal network is in the trust security zone and that the external network is in the untrust security zone. Also, ensure that these two interfaces are in the same default virtual router service. To configure the IPSec VPN tunnels on PA-200, do the following tasks:. Troubleshooting Following are some sample commands that you can use to monitor and troubleshoot the VPNs. Make an SSH connection to the PA-200 and log in to the CLI to execute the commands. Configure two tunnel interfaces on the external interface (ethernet1/4).

Ensure both tunnels are configured in the untrust security zone. In this example, the primary tunnel interface is named tunnel.1 with a source IP address 10.96.19.91. The secondary tunnel interface is named tunnel.2 with a source IP address 10.96.19.92. To configure the primary tunnel interface:.

In the Palo Alto Networks web interface, go to Network Interfaces. Click the Tunnel tab. In the Tunnel Interface window, do the following:. Interface Name: Enter a name for the tunnel interface, such as tunnel.1. Netflow Profile: Choose the appropriate NetFlow profile. In this example, it's None. Comment: (Optional) Enter additional notes or information.

Configuring the juniper atp appliance for mac download

IP: Palo Alto Networks uses ICMP probes for tunnel and policy-based forward monitoring. Enter the source IP address from which the ICMP monitoring probes will be initiated. The source IP address can be any IP address that does not coincide with an existing subnet. In this example, the IP is 10.96.19.91. Management Profile: Choose the appropriate management profile. MTU: Enter the optimal MTU for your tunnel. In this example, it's 1400. Assign Interface To:. Virtual Router: Choose default.

Security Zone: Choose untrust. Click Save and then OK. Click Commit and then OK. Repeat this procedure to configure the secondary tunnel interface ( tunnel.2) using the source IP address 10.96.19.92. You need these two tunnel interfaces for step 3 of the F. Creating the IPSec VPN Tunnels task and step 6 of the G.

Defining the Policy-Based Forwarding Rule task below. Create an IKE crypto profile that specifies the security settings for the IKE phase 1 negotiations. To create an IKE crypto profile:.

In the Palo Alto Networks web interface, go to Network. Expand Network Profiles. Select IKE Crypto.

In the IKE Crypto Profile window, do the following:. Name: Enter a name for the IKE crypto profile, such as Zscaler. DH Group: Click Add, and choose group2. Encryption: Click Add, and choose aes128. Authentication: Click Add, and choose sha1. Lifetime: Set it to 24 hours. You need this IKE crypto profile for step 5 of the C. Creating the IKE Gateway task below.

Create two IKE gateways, one for each Zscaler IPSec VPN node. In this example, the primary gateway created is named ZscalerPT with the ZEN IP addresses 165.225.80.35. The secondary gateway is named ZscalerBT with the ZEN IP address 185.46.212.35. To create the primary IKE gateway:. In the Palo Alto Networks web interface, go to Network. Expand Network Profiles. Click IKE Gateways.

In the IKE Gateway window, do the following:. Name: Enter a name for the IKE gateway, such as 'ZscalerPT'. Interface: Choose the external interface ethernet 1/4. Local IP Address: Choose None. Peer IP Type: Choose Static. Peer IP Address: Enter the ZEN IP address for the primary gateway. In this example, it's 165.225.80.35.

Pre-shared Key: Enter the pre-shared key of the you created in the Zscaler admin portal. Confirm Pre-shared Key: Reenter the pre-shared key. Show Advanced Phase 1 Options: Select to show the following options. Local Identification: Enter the FQDN or IP address of the you created in the Zscaler admin portal.

In this example, it's the IP address 99.41.72.25. Peer Identification: Choose None. Exchange Mode: Choose aggressive. IKE Crypto Profile: Choose the IKE crypto profile you created in task B. Creating the IKE Crypto Profile.

In this example, it's Zscaler. Enable Passive Mode: Deselect.

Enable NAT Traversal: Select. Dead Peer Detection: Select. Interval: Enter '20'.

Retry: Enter '5'. Repeat the procedure to create the secondary IKE gateway ( ZscalerBT) using the ZEN IP address 185.46.212.35. You need these two IKE gateways for step 3 of the F. Creating the IPSec VPN Tunnels task below. Create an IPSec crypto profile that specifies the security parameters for the IKE phase 2 negotiations.

To create an IPSec crypto profile:. In the Palo Alto Networks web interface, go to Network. Expand Network Profiles. Click IPSec Crypto.

In the IPSec Crypto Profile window, do the following:. Name: Enter a name for the IPSec crypto profile, such as Zscaler-IPSec. IPSec Protocol: Ensure ESP is chosen. Encryption: Click Add, and choose null for null encryption. If you want to use AES and have the subscription, you can select aes128.

Zscaler recommends using null encryption because this reduces the load on the local router/firewall for traffic destined for the Internet. If you would like to use AES, you may purchase a separate subscription. Authentication: Click Add, and choose md5. DH Group: Ensure group2 is chosen. Lifetime: Set it to 8 Hours. Lifesize: (Optional) Set the lifesize according to your incoming traffic volume. You need this IPSec crypto profile for step 3 of the F. Creating the IPSec VPN Tunnels task below.

A tunnel monitor profile specifies how the firewall monitors IPSec tunnels and the actions it takes if the tunnel is unavailable. To create a tunnel monitor profile:. In the Palo Alto Networks web interface, go to Network. Expand Network Profiles. Click Monitor. In the Monitor Profile window, do the following:. Name: Enter for the monitor profile, such as fail-over.

Action: Choose fail-over. Interval (sec): Enter '20'. Threshold: Enter '5'. You need this IPSec crypto profile for step 3 of the F. Creating the IPSec VPN Tunnels task below. Create two IPSec VPN tunnels to two different ZENs. In this example, the primary IPSec tunnel is configured from the primary IKE gateway ( ZscalerPT), which has the ZEN IP address 165.225.80.35 and the Virtual IP address 165.225.80.34.

The secondary IPSec tunnel is configured from the secondary IKE gateway ( ZscalerBT), which has the ZEN IP address 185.46.212.35 and the Virtual IP address 185.46.212.34. To create the primary IPSec VPN tunnel:. In the Palo Alto Networks web interface, go to Network IPSec Tunnels. In the IPSec Tunnel window, under the General tab, do the following:. Name: Enter a name for the tunnel, such as ZscalerPrimaryT. Tunnel Interface: Choose the primary tunnel interface you created in task A. Configuring the Tunnel Interfaces.

In this example, it's tunnel.1. Type: Ensure Auto Key is chosen. IKE Gateway: Choose the primary IKE gateway you created in task C. Creating the IKE Gateway. In this example, it's ZscalerPT. IPSec Crypto Profile: Choose the IPSec crypto profile you created in task D.

Creating the IPSec Crypto Profile. In this example, it's Zscaler-IPSec. Show Advanced Options: Select to show the following options. Enable Replay Protection: Select. Copy TOS Header: Deselect. Tunnel Monitor: Select.

Destination IP: Enter the GRE Virtual IP address of your primary tunnel. In this example, it's 165.225.80.34. Profile: Choose the tunnel monitor profile you created in task E.

Creating the Tunnel Monitor Profile. In this example, it's fail-over. In the Proxy IDs tab, click Add, and do the following:. Proxy ID: Enter a name for the proxy. Local: Enter the local IP address 0.0.0.0/0.

Remote: Enter the remote IP address 0.0.0.0/0. Protocol: Ensure Any is chosen. Click OK again. Click Save and then OK. Click Commit and then OK. Repeat the procedure to create a secondary IPSec VPN tunnel ( ZscalerSecondaryT) using the secondary tunnel interface ( tunnel.2), IKE gateway ( ZscalerBT), and ZEN Virtual IP address ( 185.46.212.34).

Atp

Defining two policy-based forwarding rules to route the traffic from Palo Alto Network appliance into the tunnel. To define the primary policy-based forwarding rule:. In the Palo Alto Networks web interface, go to Policies  Policy Based Forwarding. In the General tab, do the following:.

Name: Enter a name for the policy, such as PTpolicy. Description: (Optional) Enter a description. Tags: (Optional) Choose a tag. In the Source tab, under Zone, click Add, and choose trust.

In the Destination/Application/Service tab, do the following:. Destination Address: Ensure Any is selected. Applications: Ensure Any is selected. Service: Ensure Any is chosen. Note that if you only want to send traffic to port 80/443, click Add, and choose service-http and service-https.

In the Forwarding tab, do the following:. Action: Choose Forward. Egress Interface: Choose the primary tunnel interface you created in task A. Configuring the Tunnel Interfaces. In this example, it's tunnel.1. Next Hop: Leave this field blank. Monitor: Select.

Configuring The Juniper Atp Appliance For Mac Pro

Profile: Choose fail-over. Disable this rule if nexthop/monitor ip is unreachable: Select. IP address: Enter the GRE Virtual IP address of your primary tunnel.

In this example, it's 165.225.80.34. Schedule: Choose None.

Repeat the procedure to define the policy-based forwarding rule for the secondary tunnel ( BTpolicy) using the secondary tunnel interface ( tunnel.2) and ZEN Virtual IP address ( 185.46.212.34). [email protected] show vpn ike-sa phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 - 1 165.225.80.35 ZscalerPT Init Aggr PSK/DH2/A128/SHA1 Nov.14 10:57:54 Nov.14 18:57:54 v1 12 5 2342 2 185.46.212.35 ZscalerBT Init Aggr PSK/DH2/A128/SHA1 Nov.14 11:15:05 Nov.14 19:15:05 v1 12 1 2156 Show IKEv1 IKE SA: Total 2 gateways found. 2 ike sa found.

Phase-2 SAs GwID/client IP Peer-Address Gateway Name Role Algorithm SPI(in) SPI(out) MsgID ST Xt - 1 165.225.80.35 ZscalerPT Init DH2 /tunl/ESP/NULL/MD5 A9E46021 08F92DD3 F6A1AA02 9 1 2 185.46.212.35 ZscalerBT Init DH2 /tunl/ESP/NULL/MD5 CDA37FAC 0B84DBFD 4CDC542F 9 1 Show IKEv1 phase2 SA: Total 2 gateways found. 2 ike sa found.